The Data Governance Act: Europe’s Ambitious Yet Non-Committal Data Strategy
In a comprehensive legal analysis, our CEO Joost Gerritsen examines whether the Data Governance Act (DGA) can deliver on its promise to boost Europe’s data economy to €544 billion by 2028. Published in the Dutch Journal for European Law, the analysis reveals fundamental tensions between the DGA’s ambitious goals and its non-binding approach, raising critical questions for privacy professionals, supervisory authorities, and data protection consultants navigating this new regulatory landscape.
The DGA, which became applicable on September 24, 2023, represents the first legislative pillar of the European data strategy. It aims to create a Single European Data Area where data flows freely within the EU, fostering innovation particularly in AI development. Yet as the analysis demonstrates, the regulation’s relevance remains questionable despite its modern terminology of “data pools” and “machine learning.”
Four Regulatory Pillars with Uncertain Foundations
The DGA introduces four main regulatory frameworks, each presenting unique challenges for implementation:
1. Protected Data Re-use by Public Bodies
The regulation covers data protected by commercial confidentiality, statistical confidentiality, intellectual property rights, or personal data protection laws that fall outside the Open Data Directive. However, crucially, there’s no obligation for public bodies to allow re-use. Member States retain complete discretion, creating uncertainty for potential re-users who don’t know what to expect from public bodies.
2. Data Intermediation Services
These include data marketplaces, data cooperatives, and services empowering data subjects to exercise their GDPR rights. Providers must notify authorities before operating and comply with strict neutrality requirements—they cannot use exchanged data for their own purposes. Yet the DGA’s definition of these services remains unclear, listing what they don’t cover rather than providing clear guidance on what they do.
3. Data Altruism Organisations
The framework allows voluntary registration of entities collecting data for altruistic purposes like public health or climate research. Organisations can obtain a logo and EU-wide recognition, but registration isn’t mandatory. The analysis questions whether the prospect of a label and subsequent oversight will actually encourage data altruism.
4. European Data Innovation Board
This expert group, including representatives from all Member States, the EDPB, EDPS, and ENISA, will develop guidelines for European data spaces and facilitate cooperation between authorities.
Implementation Challenges and Regulatory Gaps
The analysis identifies several critical implementation challenges that compliance consultants and law firms must navigate:
- Delayed implementation: The Netherlands risks late implementation, similar to the Open Data Directive which still hasn’t been transposed into national law
- Insufficient enforcement capacity: The Dutch Data Protection Authority has less than 3 FTE available for preparing new EU regulations including the DGA and AI Act
- Unclear definitions: The regulation devotes extensive attention to exclusions rather than clear definitions, creating legal uncertainty
- Limited market presence: The Netherlands has only a handful of parties advertising as “data cooperatives”—will regulation change this?
Neutrality Requirements and Business Model Constraints
For data intermediation services, the DGA imposes strict neutrality requirements that fundamentally limit business models:
- Services must operate through separate legal entities
- Providers cannot use exchanged data for their own products or services
- Data can only be used to improve intermediation services themselves
- Services cannot be bundled or create lock-in effects
These constraints aim to create alternatives to Big Tech dominance but may inadvertently stifle innovation and viable business models. The analysis notes that digital gatekeepers like search engines and app stores aren’t obligated to display DGA logos, limiting consumer awareness of compliant services.
International Data Flows: Economic Ambitions vs. Protection
The DGA takes a notably different approach to international data transfers than the GDPR. While personal data transfers remain restricted, non-personal data may flow internationally if there’s no risk of re-identification. This distinction reflects economic motivations—the Commission advocates international data flows to strengthen the EU’s competitive position in global trade.
For supervisory authorities, this creates new challenges in monitoring data flows and ensuring that combinations of non-personal datasets don’t lead to identification of data subjects—a risk that research shows is increasingly possible.
The Paradox of Modern Yet Irrelevant Legislation
The analysis poses a fundamental question: Is the DGA truly modern legislation that will drive the data economy, or are key provisions irrelevant? Several factors suggest the latter:
Non-binding nature: Like the 2003 Public Sector Re-use Directive, the DGA lacks mandatory provisions. While the 2019 Open Data Directive evolved to require data provision for high-value datasets, the current DGA remains non-committal.
Questionable incentives: Why would organisations pursue data altruism registration for a logo and increased oversight? The small number of existing data altruism organisations suggests limited appeal.
Transitional arrangements: Data intermediation services have until September 24, 2025, to comply—but will clarity emerge from the Commission or EDIB by then?
Critical Perspectives from Legal Practice
The Dutch Council of State, as legislative adviser, expressed critical views about the lack of clarity for re-users. Without clear policy on data re-use, potential users face uncertainty about what public bodies will provide. This echoes broader concerns about the DGA’s practical applicability.
The analysis suggests that while the DGA contains modern concepts, its non-binding approach may render it irrelevant. The Dutch government could remove this irrelevance through decisive, non-exempt policies and legislation—but whether political will exists remains uncertain.
Implications for Privacy and Data Protection Professionals
For privacy professionals and data protection experts, the DGA adds another layer to an already complex regulatory landscape. Key considerations include:
- Understanding how the DGA supplements rather than replaces the Open Data Directive
- Navigating conflicts between DGA provisions and GDPR requirements (where GDPR prevails)
- Advising on notification procedures for data intermediation services
- Assessing whether data altruism registration offers meaningful benefits
- Preparing for potential future versions that may introduce mandatory provisions
Navigate the Complete EU Digital Rulebook with Digibeetle
The Data Governance Act represents just one piece of an increasingly complex EU digital law puzzle. As this analysis demonstrates, understanding how the DGA intersects with other regulations—the GDPR, AI Act, Data Act, European Health Data Space Regulation, Digital Services Act, and Digital Markets Act—is crucial for effective compliance and strategic planning.
Ready to master the EU Digital Rulebook? Explore all EU digital laws including the DGA on Digibeetle. Get comprehensive access to regulations, cross-references, expert analysis, and regular updates—all in one integrated platform. Start your free 30-day trial today and navigate EU digital compliance with confidence.
